CVE-2018-12999 — Improper Input Validation in Manageengine Desktop Central

CWE-20 — Improper Input Validation3 documents3 sources

Severity

7.5HIGHNVD

EPSS

9.7%

top 7.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zohocorp Manageengine Desktop Central

Timeline

PublishedJun 29

Latest updateMay 14

Description

Incorrect Access Control in AgentTrayIconServlet in Zoho ManageEngine Desktop Central 10.0.255 allows attackers to delete certain files on the web server without login by sending a specially crafted request to the server with a computerName=../ substring to the /agenttrayicon URI.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

▶NVDzohocorp/manageengine_desktop_central10.0.255

🔴Vulnerability Details

GHSA

GHSA-pf9m-66cq-7fx9: Incorrect Access Control in AgentTrayIconServlet in Zoho ManageEngine Desktop Central 10↗2022-05-14

▶

CVEList

CVE-2018-12999: Incorrect Access Control in AgentTrayIconServlet in Zoho ManageEngine Desktop Central 10↗2018-06-29

▶